TRAINING 8 – Get Your Hands Dirty: From Packets to Malware Behaviors

0. 0. Day I1. Introduction
      • ●  About the teachers
      • ●  Introduction to the training, goals, dynamic of the class.
        • ○  It is not about tools
        • ○  It Is about learning to analyze malware traffic and to separate it from normal traffic.
      • ●  Intro of attendants
      • ●  Why to analyze network traffic?
      • ●  What can we do with this knowledge? What’s the real potential of this information?
      • ●  Start of notebooks with Kali, connection to Internet.
      • ●  What is an attack? What is the difference with normal?
      • ●  What is Malware? What is a botnet?

2. Revision of how network protocols work

0. 0. • ●  What’s the attendees current knowledge about networking?
      • ●  Network protocols, TCP/IP layers, how do they work?
      • ●  Horizontal and vertical communication
      • ●  Basic protocols. What are they for? Which ports do they use?

○ Ethernet, ARP, ICMP, IP, TCP, UDP, HTTP, DNS, SSH, SSL/TLS

3. Capturing traffic

● Introduction to standard tools for traffic capture and analysis: ○ Wireshark

• Start Wireshark and capture some of your traffic.
• Identify the hosts, ports and protocols used.
• See the different layers of protocols and encapsulations.
• Follow a TCP stream
• Capture filters, configuration of columns, statistics section○ Tcpdump

• Use tcpdump to see information from your network
• tcpdump filters by host, protocol, port
• tcpdump modes: ascii
• Read packet captures
• Mix all together: capture traffic, read, search for content inside the traffic

• ○  Network Miner, Caploader
• ○  Other useful tools: strings, tcpstat, dnstop, ngrep, p0f.

4. Experience of analysis of normal traffic and malware traffic

• ●  1st Example: Analysis of traffic capture #1
  • ○  Uncompress it and load it in wireshark.
  • ○  What can you say about it? What is going on?
  • ○  Analysis of the behavior of the connections.
  • ○  Malware or normal?
  • ○  Introducing Indicators of Compromise.
  • ○  IP & Hostname reputation■ https://www.virustotal.com/
    • ●  Search for IPs, domains or URLs
    • ●  See if you can infer something about the reputation of IOCs■ https://sitereview.bluecoat.com/sitereview.jsp ■ https://www.senderbase.org/
      ■ https://www.passivetotal.org
  • ○  Web traffic analysis
    • What are web access logs?
    • How to generate them?
    • What information do we see here?
    • Look for patterns, common things, characteristics.
    • What to do with patterns?
      • ●  Identify ‘behaviors’ of the botnet.
      • ●  Strong ‘pivot’ for hunting: search your network
      • ●  Create your own rules
      • ●  Emerging Threats pattern matching example
• ●  2nd Example: Analysis of traffic capture #2

○ What can you say about it? malware or normal?

● 3rd Example: Analysis of traffic capture #3

○ What can you say about it? is it malware or normal?

• ●  4th Example: Analysis of traffic capture #4
• ●  5th Example: Analysis of traffic capture #5

● 6th Example: Analysis of traffic capture #6

○ This is a large example. Your mission, if you accept it, is to discover if it is an attack or not, and what happened. You have 30 min. We expect your report.

5. First day wrap up

Day II

1. Introduction to second day

● Goals and agenda

2. Working with large files: slicing, filtering, and analysing

• ●  The problem of big packet captures. How big is ‘big’?
• ●  Getting an overview of the packet capture, determining what is important to see

○ capinfos, tcpstat, editcap

• ●  Strategies for slicing a big pcap: protocol, time, destinations, combination
• ●  1st example: slicing, trying out strategies, tools limitations
• ●  2nd example: slicing, analysing, putting information back together

3. Working with large files: flows and behaviors

• ●  Flows, Netflows, and massive long-term storage. Metadata.
• ●  Why to use flows? Performance, privacy, sharing.
• ●  Introduction to Argus: download, installation, configuration

○ Configuration files will be provided

• ●  Converting a pcap to netflows.
• ●  Capturing netflows in real time.
• ●  Example 1: Analyzing the traffic capture #7 with argus

○ Use argus to see the flows. Try to identify the interesting connections.
■ argus -F /etc/argus.conf -r capture1.pcap -w – “not arp and not ipv6” | ra

-F /etc/ra.conf -r – -n -Z b -s +suser:400 +duser:400|less ○ Which features are calling your attention?

● Example 2: Normal Capture (#8)
○ Use argus as above to see the flows with data.

• ●  Compare the flows of both captures
  • ○  What is different from a normal capture?
  • ○  Are the differences significant?
  • ○  How would you detect this differences?
  • ○  Which features of flows or traffic do you think are useful for detection?
• ●  3rd Example: Analysis of traffic capture #9 (of advanced malware)
  • ○  Convert to netflow with Argus.
  • ○  Use argus as above to see the flows with data.
• ●  4th Example: Analysis of traffic capture #10
  • ○  Convert to netflow with Argus.
  • ○  Use argus as above to see the flows with data.
• ●  Argus as a continuous monitoring and storing of files

○ Capture packets in several points in the network

■ argus -F argus.conf -i eth0 -P 200 ○ Get the flows with rasplit

• rasplit -S argus-server:200 -M time 1h -w /Data%Y/%m/%d/capture.%H.%M.%S.biargus – port ! 200
• This will store in 1hs files all the flows, separated in folders by day, month and year. If you combine it with the storage of data, you have a very good visibility.

4. Attacking each other and discovering the traffic

• ●  Start capturing traffic in your host using tcpdump
  • ○  Goal: To know what happens in the network with the SSH protocol (port 22)
  • ○  tcpdump -n -s0 -i eth0 -v -w /root/malware-nights-class-1-ssh-attack.pcap
• ●  Download this list of passwords (tbd)
• ●  Change your root password

○ As root
■ passwd (and put a good password)

● Create another user (unprivileged). The name of the user is test ■ useradd test

● Start the SSH service

○ /etc/init.d/ssh restart

● Change the password of the test user

○ First get one password randomly from the file.
■ N=`shuf -i 1-15 -n 1`; head -n $N best15.txt |tail -n 1

○ Then change it with the command (put it twice): ■ passwd test

● Put here the password printed by the previous command.

● Find other hosts in the network with the SSH port open

○ nmap -sS -p 22 -n -v <your-ip-address>/24 -oN ssh-servers.txt

• ●  Bruteforce the SSH password of the active hosts
  • ○  Medusa tool
    • medusa -h <IP-to-crack> -u <user-to-crack> -P best15.txt -M ssh
      • ●  -M is the service to crack
      • ●  -P the password file
      • ●  -u the user to crack
    • hydra -s 22 -l test -P best15.txt <IP-to-crack> ssh
  • ○  Pro Tips:
    • nmap can store the output in a grepable file
    • medusa can read a list of hosts from a file
    • medusa can parallelize, one host per thread
    • a better tool than nmap?
• ●  Analysis of the traffic
  • ○  Analyze your capture file
  • ○  For each IP you found in the network, report:■ If it had the port 22/TCP open or not

• If you found the password, and which was it.
• If somebody found the password of your computer or not. And how doyou know.
• Bonus question: Did they access your computer and type commands onit? How do you know?

5. Wrap up of second day, and closing the training